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Model checking is an automatic verification technique to verify hardware and software systems. 
However it suffers from state-space explosion problem. In this paper we address this problem in 
the context of cryptographic protocols by proposing a security property-dependent heuristic. The 
heuristic weights the state space by exploiting the security formulae; the weights may then be used 
to explore the state space when searching for attacks. 

1 Introduction 

Security protocols present many interesting challenges from both pragmatic and theoretical points of 
view as they are ubiquitous and pose many theoretical challenges despite their apparent simplicity. One 
of the most interesting aspects of security protocols is the complexity of the verification algorithms to 
check their correctness; in fact, under many models of the intruder, correctness is undecidable and/or 
computationally hard [15, 12, 11, 26]. 

Many authors have formalised security protocols in terms of process calculi suitable to define many 
verification frameworks (besides model checking, path analysis, static analysis, etc.) [21, 1, 7, 8]. Model 
checking (MC) techniques have been exploited in the design and implementation of automated tools [13, 
23] and symbolic techniques have been proposed to tackle the state explosion problem [3, 9, 10, 18]. 

This paper promotes the use of directed MC in security protocols. We define a heuristic based on 
the logic formulae formalising the security properties of interest and we show how such heuristic may 
drive the search of an attack path. Specifically, we represent the behaviour of a security protocol in 
the context of the (symbolic) MC framework based on the cIP and respectively a cryptographic 

process calculus and a logic for specifying security properties introduced in [18]. An original aspect of 
this framework is that it allows to explicitly represent instances 1 of participants and predicate over them. 

Intuitively, the heuristic ranks the nodes and the edges of the state space by inspecting (the syntactical 
structure of the) formula expressing the security property of interest. More precisely, the state space 
consists of the transition system representing possible runs of a protocol; our heuristic weights states 
and transitions considering the instances of principals that joined the context and how they are quantified 
in the security formula. Weights are designed so that most promising paths are tried before other less 
promising directions. Rather interestingly, the heuristic can rule out a portion of the state space by 
exploring only a part of it. In fact, we also show that the heuristic may possibly cut some directions as 
they cannot lead to attacks; in fact, the heuristic is proved to be correct, namely no attacks can be found 
in the portion of the state space cut by our heuristic. 

*The authors thank the anonymous reviewers for their valuable suggestions and Alberto Lluch-Lafuente for the useful 
discussions. 

1 This key feature of the framework is supported by the use of open variables, a linguistic mechanism to tune and combine 
instances that join the run of a protocol. 
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At the best of our knowledge, heuristic methods have not yet been explored to analyse security 
protocols (at least in the terms proposed in this paper) which may be surprising. In general, many 
of the features of heuristics fit rather well with the verification of security protocols. More precisely, (?) 
optimality of the solution ("the attack") is not required when validating protocols (violations of properties 
of interest are typically considered equally harmful), (ii) the graph-like structures (e.g., labeled transition 
systems) representing the behaviour of security protocols usually have 'symmetric regions' which may 
be ignored once one of them is checked, (Hi) heuristic search may be easily combined with several 
verification frameworks and particularly with MC. The lack of such research thread is possibly due to 
the fact that it is in general hard to define heuristics for security protocols. In fact, typically heuristics 
are tailored on (properties of) a goal state and measure the "distance" from a state to a goal state. In 
the case of the verification of security protocols, this would boil down to measure the distance from an 
attack where a security property is violated. Therefore, designing heuristics suitable to improve MC of 
security protocols is hard as attacks cannot be characterised beforehand. 

Here, we argue that heuristic search may be uniformly used in the verification of security protocols 
and provide some interesting cases of how our approach improves efficiency. In fact, we will illustrate 
how the use of the heuristic can greatly improve the efficiency of the search by cutting the directions that 
cannot contain attacks. 

Our approach seems to be rather promising, albeit this research is in an initial stage, it can be extended 
in many directions. Finally, we argue that our proposal can be applied to other verification frameworks 
like [8] or inductive proof methods like [24, 17] (see § 5). 

Structure of the paper. § 2 summarizes the concepts necessary to understand our work; § 3 yields the 
definition of our heuristic which is then evaluated and proved correct in § 4; § 5 concludes the paper and 
discusses related work. 

2 Background 

This section fixes our notation (§ 2.1) and a few basic concepts on informed search largely borrowed 
from [25] (§ 2.2) 

2.1 Expressing security protocols and properties in cIP and 

We adopt the formal framework introduced in [18] consisting of the cIP (after cryptographic Interaction 
Pattern) process calculus and the logic (after protocol logic) to respectively represent security 

protocols and properties. Here, we only review the main ingredients of cIP and by means of the 
Needham-Shroeder (NS) public key protocol and refer the reader to [18] for a precise presentation. 
The NS protocol consists of the following steps 



where, in step 1 the initiator A sends to B a nonce na and her identity encrypted with B's public key B + ; 
in step 2, B responds to the nonce challenge by sending to A a fresh nonce nb and na encrypted with 
A + , the public key of A; A concludes the protocol by sending back to B the nonce nb encrypted with B's 
public key. 



1. A^B 

2. B^A 

3. A^B 



{na,A} B+ 

{na,nb} A + 

{nb} B+ 
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In cIP principals consist of their identity, the list of open variables and the actions they have to 
perform in the protocol. A cIP principal can either send or receive messages from a public channel using 
the out and in actions respectively. The NS protocol can be formalized in cIP as follows: 

A :(/■)[ out{{na,A} r +). B : ()[ in({lx,ly} B -). 

in({na,?z\A-)- out({x,nb} y +). (1) 

out({z} r +) ] in({nb} B -) ) 

The principal A (resp. B) in (1) represents the initiator (resp. the responder) of the NS protocol. The 
open variable r is meant to be bound to the identity of the responder. The principal A first executes the 
output action and then waits for a message which should match the pattern specified in the in action. 
More precisely, A will receive any pair encrypted with her public key whose first component is the nonce 
na; upon a successful match, the second component of the pair will be assigned to the variable z. For 
instance, the {na,M} A + matches {na, ?z}a- for any M and would assign M to z. 

We adopt the definition of formulae given in [18]: 

0,1//- ::= Xi = m \ KOm \ Qi:A.\\f | -.!//• | \\f \ \\fV 

where Q ranges over the set of quantifiers {V, 3} and x,- are indexed variables (a formula without quanti- 
fiers is called quantifier-free). 

The atomic formulae x ( = m and K\>m hold respectively when the variable x,- is assigned the message 
m and when K (representing the intruder's knowledge) can derive m. Notice that quantification is over 
indexes i because predicates over the instances of the principals concurrently executed. A principal 
instance is a cIP principal indexed with a natural number; for example, the instance of the NS initiator 
obtained by indexing the principal A in (1) with 2 is 

A 2 : (r2)[out({na2,A 2 } r +).in({na2,?Z2}A-)- out ({z2} r +)} (2) 

we let [X] be the set of all instances of a principal X; e.g., the instance 2 in (2) is in [A] (§ 3 illustrates how 
the transition system of cIP instances of a protocol is obtained). 

As an example of g?5£ formula consider the formula Yns predicating on (instances of) the NS 
protocol: 

Mi: A. 3j : B (xj = nai A Zi = nbj) . 

The formula y^s states that for all instances of A there should be an instance of B that has received the 
nonce nat sent by A, and the nonce nbj is received by the instance A,-. 

2.2 Basics of heuristics 

As mentioned in § 1 , the approaches such as symbolic MC can be used to tackle the problem of state 
space explosion. However, even with the use of such approaches the search space can grow enormously. 
It is therefore desirable to look into methods through which search space can be generated/explored more 
efficiently using informed search algorithms that are characterized by the use of a heuristic function (also 
called evaluation function). A heuristic function assigns a weight to nodes by estimating their "distance" 
from a goal node. 



2 Hereafter, we denote an instance simply by the indexed name of the principal; for example, the instance above will be 
referred to as A^. 
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We recall here the basic concepts on heuristic algorithms by means of a simple example and refer the 
reader to [25] for a deeper presentation. 

The «-puzzle (also known as the sliding-block or tile -puzzle) is a well-known puzzle in which the 
goal is to move square tiles by sliding them horizontally or vertically in one empty tile. For n = 8 the 
goal configuration is depicted in Figure 1 ; a possible initial configuration is in Figure 2. The problem of 
finding the shortest path leading to the goal configuration is NP-hard. 
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Figure 1: The 8-puzzle goal configuration 



Figure 2: A possible start configuration 



A very simple heuristic (cf. [25]) for 8-puzzle can be given by 

hi = number of misplaced tiles. 

For each configuration, hi counts the number of misplaced tiles with respect to the goal configuration. 
For instance, hi weights 8 the configuration in Figure 2 since all the tiles are misplaced. 

Another heuristic (cf. [25]) for 8-puzzle is the one that exploits the so called Manhattan distance 

h2 = sum of the Manhattan distances of non-empty tiles from their target positions. 

So the configuration in Figure 2 is weighted 18 by /i2- 

An important property of heuristics is admissibility; an admissible heuristic is one that never over 
estimates the cost to reach the goal node. Both hi and h2 are admissible; in fact, hi is clearly admissible 
as each misplaced tile will require at least one step to be on its right place, and h^ is also admissible as 
at each step the tiles will be at most one step closer to goal. A non-admissible heuristic is h^ = hi * 4; 
in fact, if only one tile is misplaced with respect to a goal configuration, h^ will return 4 which is an 
overestimation of the distance to goal. 



3 A Heuristic for Security Protocols 

This section introduces our original contribution (§ 3.2), namely the heuristic for effectively searching 
the state space generated for MC cryptographic protocols. As mentioned earlier, there is not much work 
done in this regard. Specifically (to the best of our knowledge) no work exists that can prune a state 
space in verification of cryptographic protocols. 

The heuristic function is defined on the security formula expressed in . 

The heuristic is efficient as it will not only guide the searching algorithm towards promising regions 
of the graph but can also prune those parts of the state space where attack cannot happen under a given 
security formula. 

The heuristic is defined in terms of two mutually recursive functions J% and J% which assign weights 
to states and transitions respectively. The state space is obtained according to the semantics of cIP defined 
in [18]. For lack of space, an informal presentation of the semantics is given here. 
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3.1 The state space 

A state consists of a tuple ({&,Xi k) where 

• <?f is a context containing principal instances which joined the session, 

• x i s a mapping of variables to messages, and 

• K is a set of messages representing the intruder knowledge. 

A transition from one state to another can be the result of out and in actions performed by principal 
instances or of join operations non-deterministically performed by the intruder; join transitions may 
instantiate open variables by assigning them with the identity of some principal (provided it is in k). 
Initially, ^ is empty and therefore the only possible transitions are join ones. When ^ contains an 
instance ready to send a message, an out transition can be fired so that the sent message is added to K. If 
contains a principal ready to receive a message, the intruder tries to derive from the messages in fc a 
message that matches the pattern specified in the input action (see § 2); if such a message is found x is 
updated to record the assignments to the variables occurring in the input action. 
For instance, a few possible transitions for the NS protocol are 

join join out in 
SQ ► *1 ► S2 ► S3 ► S A 

where sq = ( 0,0, Kfc ) with Kq = {I,I + ,I~}, namely initially no principal instance joined the context, 
there is no assignment to variables, and the intruder only knows its identity and public/private keys. 
The join transition from sq to s\ adds a principal instance B 2 to the context yielding 

*i = ( {0[ in (V x 2,y2} B -)-out({x2,nb2} y +)M{ nb 2}B^)}}^ 
fCi = fc U{B 2 ,B 2 + }) 

that is, the intruder now knows i?2's identity and (by default) its public key. Similarly, the transition from 
s\ to S2 adds the principal instance A\ to context and therefore 

*2 = ( {()[m({?x 2 ,?:y2}B-).0wf({*2,^ 

{n^B 2 }, 

K 2 = K 1 U{A U A 1 + }) 

Notice that the open variable r\ is now mapped to B 2 . 
The transitions from ^2 to S3 is due to an out action 

s 3 = { {()M{?X2,?y2} B -W({*2,nM^ 

K"3 = K 2 U{na u A l } B + ) 

the prefix of A\ is consumed and the message is added to the intruder's knowledge. 

Finally, the transition from S3 to S4 is due to an in transition for the input prefix of B 2 . The message 
{nci\ , A\ } B + added to the intruder's knowledge in the previous transition matches the pattern { c !x 2 , ^y 2 } B - 
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specified by B 2 , therefore the x 2 and y 2 are assigned to na\ and Ai respectively. Hence, 

s 4 = ( {o^({«ai,«ft 2 } A +)j'«({^2} B -)],()['n({nai,?Zi}A r )- " z ({zi}B+)]}> 
{r\ 1 ^ B 2 ,x 2 i-> «ai,j2 Ai}, 
*3> 

In our framework, join transitions can be safely anticipated before any other transition (Observation 
10.1.3 in [28], page 174). 

3.2 The heuristic 

For simplicity and without loss of generality, we define the heuristic on Prenex Normal Form (PNF) 
formulae defined below. 

Definition 1. [Prenex Normal Form] A & 'Jzf formula is in prenex normal form if it is of the form 

Qih :Ai.--- .Q n i„ :A n .(j> 

where (j) is a quantifier-free formula and, for 1 < j < n, Qj £ {V, 3}, each ij is an index variable, andAj 
is a principal name. 

Basically, a PNF formula is a formula where all the quantifiers are "at top level". Notice that, in 
Definition 1 , it can be n = which amounts to say that a quantifier free formula is already in PNF. 

Theorem 3.1. Any & 'Jzf formula can he transformed into a logically equivalent PNF formula. 
Proof. Let the function pnf : Jzf — ► Jzf be defined as follows: 

Y Y i s a quantifier-free formula. 

Qi:A.pnf{y') y=Qi:A.y' 

pnf(y) = { Qi : A.pnf(-i\y") y = -11/ and pnf(y') = Qi : A.\y" 

Qi' : A.pnf(\j/[ [i'/i] A \j/ 2 ) i' fresh, \j/ = \\f\ A \j/ 2 and pnf(\\f\) = Qi : A.\j/[ 

k Qi' : A.pnf(\j/[ [i'/i] V \j/ 2 ) i' fresh, \j/ = V y 2 and pnf{\\f\) = Qi : A.y^ 

The proof of theorem 3.1 follows from the properties of pnf given by Lemmas 3.2 and 3.3 below. □ 

Lemma 3.2. For awy formula \\f, pnf{\\f) is in PNF. 

Proof. We proceed by induction on the structure of y. 

If y is a quantifier free formula then it is in PNF and, by definition of pnf, pnf{y) = y. 
The inductive case is proved by case analysis. 

• Assume l/ns Qi:A.y' , then by definition of pnf , pnf {y) = Qi:A.pnf{y'). By inductive hypothesis 
pnf{y') is in PNF and therefore pnf(y) is in PNF. 

• If y = y\ A y 2 then, assuming pnf{y\) = Qi : A.y[, by definition of pnf 

pnf{y) = Qi' : A.pnf(y' 1 [i'/i} A y 2 ) 

For fresh index i' not occuring in y 2 . By inductive hypothesis pnf{y[[i' /i\ A y 2 ) is in PNF, there- 
fore pnf(y) is in PNF. 
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• The case yr = \\f\ V y/2 is analogous. 

• If yr = then, assuming pnf(yr') = Qi '■ A.i/' ', by definition of pn/, pnf(yr) = 2? : A.pnf(-^yt"). 
By inductive hypothesis pnf(-^yf") is in PNF, therefore pnf(yf) is in PNF. 

□ 

Lemma 3.3. pnf(yr) 44> i/a 

Proo/ We proceed by induction on the structure of yr. 

If V' is a quantifier free formula then pnf(yr) = yr and therefore pnf(yf) 44> yr. 
Again the proof for the inductive case is given by case analysis. 

• Assume i/ns Qi:A.\j/', then by definition of pnf,pnf(yr) = Qi:A.pnf(yr l ). By inductive hypothesis 
pnf(yr') 44> yr 1 hence pnf(yr) = Qi : A.yr 1 and therefore pnf(yr) 44> yr. 

• If yr = yn A yn then, assuming pnf(yn) = Qi '■ A.yr[, by definition of pnf 

pnf(w) = Qi' ■ A-pnfiVAi 1 '/«] A V2) 
For /' fresh (namely, /' does not occur in 1//2). By inductive hypothesis pnf(y/\) 44> hence 

V pnf(yr x ) A V2 = (Qi : A. 1/4 ) A yr 2 
It is trivial to prove that for any 2?££ formula (Qi : A.y) A(j> Qi : A.(yr A 0) and therefore 

• The proof for yr = yr\ V yr 2 is similar. 

• If i^ = -,i^' then, assuming pnf(yr') = Qi : A.i//', by definition of pn/, pnf(yr) = 2? : A.pnf(-iyr"). 
By inductive hypothesis pnf(\j/') <^ 1/ and therefore ^pnf(yr'), hence i/a 44> -i(<2? : A.y/") 44> 
Qi : A.->yr" and therefore pnf(yr) 44> 

□ 

The heuristic function is given in Definition 2 and depends on the function given in Defini- 
tion 3 below. 

Definition 2 (Weighting states). Given a state s and a formula (j), the state weighting function is given 
by 

{max 3%(t,$), sT / 
<j> = Vi : A. <j>' A sT = A s H [A] = 
0, otherwise 

where sT is the set of join transitions departing from s and, assuming s = k), if! [A] stands for 

KTl[A]. 

The function Jt? s takes a state, say s = ( < rf,X, K )> and a formula as input and returns the maximum 
among the weights computed by Jtf on the join transitions departing from s for (j). The weight —00 is 
returned if 

• (j) is a universal quantification on a principal instance A (Vi : A. <j>'), 

• j does not have outgoing join transitions (sT = 0), and 
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• there is no instance of A in the context (s n [A] = 0). 

The heuristic has been designed considering that a formula universally quantified on instances of 
A is falsified in those states where there is at least one instance of A. Therefore a context that does not 
have an instance of the quantified principal, has no chance of falsifying the formula. In fact, the condition 
sT = ensures that no principal instance can later join the context. As a result, there is no possibility of 
falsifying the property in all paths emerging from this state which can therefore be pruned. This justifies 
the second case of where the value — °° is assigned to such states. 

The heuristic that assigns weights to transitions is given in Definition 3. 

Definition 3 (Weighting transitions). Given a state s and a transition t from s to s' = C%",x', k') in sT, 
the weighting transitions function 3% is 



The function takes as input a transition t and invokes J% to compute the weight of t depending 
on the structure of the formula (p. As specified in Definition 3, the value of the weight of the arrival state 
is incremented if either of the two following mutually exclusive conditions hold: 

• <j> universally quantifies on a principal instance A (V/ : A. (j)') for which some instances have already 
joined the context (k' n [A] / 0); 

• existentially quantifies on a principal instance A (3/ : A. 0') which is not present in the context 
(k' n [A] = 0). 

Instead, the heuristic J$? t does not increment the weight of the arrival state if either of the following 
mutually exclusive 3 conditions hold: 

• existentially quantifies on instances of A (3/ : A. <p') and present in the context {k 1 n [A] / 0); 

• universally quantifies on instances of A (V7 : A. 0') and the context does not contain such in- 
stances (fc'n [a] =0). 

Again the intuition behind is based on quantifiers. The formula that universally (resp. existentially) 
quantifies on instances of A can be falsified only if such instances will (resp. not) be added to the context. 
Therefore all transitions that (resp. do not) add an instance of A get a higher value. It is important to 
mention that in the first and third cases of Definition 3, the recursive call to takes in input <j>', the 
subformula of in the scope of the quantifier. This is due to the fact that once an instance of the 
quantified principal has been added we are not interested in more instances and therefore consume the 
quantifier. The heuristic Jtf returns when <p is a quantifier free formula. In fact, due to the absence of 
quantifiers we cannot assess how promising is t to find an attack for (j) . We are investigating if in this 
case a better heuristic is possible. 

Finally, we remark that and Jtf terminate on a finite state space because the sub-graph consisting 
of the join transitions forms a tree by construction 4 . Therefore, the recursive invocations from Jtf to J^ s 
will eventually be resolved by the last two cases of Jf? s in Definition 2. 

3 Note that all the conditions of the definition of J% are mutually exclusive. 

4 For page limits we do not prove it formally, but it can easily be checked by the informal description of join transitions 
given in this section. 



3%{t,$) = { 



otherwise. 



= V/:A. 0' A ?c'n[A] /0, 
(j> ee 3i : A. 0' A k' n [A] = 0, 
<p = 3i:A. <p' A ?c'n[A]^0, 
<p ee V/:A. <p' A ?c'n[A] =0, 
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4 Evaluation of the Heuristic 

In this section we describe with the help of examples how J% and J>% can find attacks without exploring 
the complete state space. In the first example the heuristic is applied on the NS protocol and in the second 
example it is applied on the KSL protocol. 

We also prove the correctness of the heuristic. 



4.1 Applying the heuristic to the Needham-Schroeder protocol 

Let us consider the property Yns given in § 2.1 as Vz : A. 3j : B (xj = naj A Zi = nbj). Figure 3(a) 
illustrates a portion of the state space of the NS protocol after the first two join transitions when Yns is 
considered. Notice that Yns can be falsified in a path where there is a context containing at least one 
instance of A and no instances of B. 




(a) Join transitions of the NS protocol (b) Weighted states in the NS protocol 



Figure 3: Join transitions and weighted states in NS protocol 



The heuristic will assign weights to states and transitions as in Figure 3(b). The highlighted paths 
(those with 'fat' arrows) are the one to be explored; the context {A1A2} contains the attack reported 
below: 

{nai,Ai} I+ 
{na 2 ,A 2 } I+ 

{na\,na 2 } Ai + Kt>na\,na 2 
{na 2 ,nai} Ai + K\>na\,na 2 
{na 2 } 1+ 
{na\} 1+ 



2. A 2 ^I 

3. 7->Ai 

4. I^A 2 

5. Ai-»7 

6. Ai^I 



The intruder acts as responder for both A\ and A 2 . As a result of step 1 and 2, K contains na\ and 
na 2 ; enabling the intruder to send messages to A\ and A 2 at step 3 and 4 respectively. This results into 
assignments like za { = na 2 and za 2 =na\, which is the falsification of stated property which requires a 
nonce generated by an instance of B to be assigned to the variables. 
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The other two highlighted paths contain a similar attack, we report the one with context {A\ ,-62}- 



Ax-/ 


{nai,Ai} I+ 




/-Ai 


{nai,I} Al +, 


K\>na\,I 


Ai -►/ 


{'}/+ 




7^B 2 


{nai,7} B2+ , 


K\>na\,I 


B 2 ^7 


{nai,nb2} 1+ 




7^B 2 




K\>nb2 



Again at step 2 and 4, A\ and B 2 are receiving the identity of intruder instead of nonce by B, resulting 
into an attack. 

It is evident from the Figure 3(b) that heuristic assigns appropriate weights to the paths that contain 
an attack. It is worthy mentioning that the context {Bi,B 2 } has been labeled —00, therefore the search 
will never explore this state. This suggests that approximately l/4th of the state space can be pruned by 
applying heuristic. This is a rough estimate taking into consideration the symmetry in the state space 
(the context {Ai,A 2 } is similar to {Bi,B 2 } and {Ai,B 2 } is similar to {Bi,A 2 }). 



4.2 Applying the heuristic to the KSL protocol 



We consider the analysis of (the second phase of) KSL [20], done in [18]. The protocol provides repeated 
authentication and has two phases; in the first phase (/) a trusted server S generates a session key kab to 
be shared between A and B, and (ii) B generates the ticket {Tb,A,kab} k bb for A (where Tb is a timestamp 
and kbb is known only to B). 

In the second phase, A uses the ticket (until it is valid) to repeatedly authenticate herself to B without 
the help of S. The second phase can be specified as follows: 



1. A 

2. B 

3. A 



■B 
■A 
B 



na,{Tb,A,kab}kbb 

nb,{na} kab 

{nb) k ab 



A sends a fresh nonce na and the ticket to B that accepts the nonce challenge and sends nb together with 
the cryptogram {na} ka b to A. In the last message, A confirms to B that she got kab. 
In cIP, A and B can be represented as follows: 



A : (b,sk,tk)[ out(na,{b,A,sk} tk ) 
in(?y,{na} sk ). 
out{{y} sk )) 



B : (a,sk,tk)[ 



in(lx,{B,a,sk} tk ) 
out(nb, {x} sk ). 
in({nb} sk )) 



(where for simplicity the timestamp generated by B is substituted by his identity). Authentication is 
based on the mutually exchanged nonces, and formalized as follows: 

Wksl = V/ : B. Vj : A.(bj = B ; Aa/= Aj -> x t = naj Ayj = nb t ) 

which reads any pair of properly connected "partners" Bi and Aj (bj = Bif\ai =Aj) eventually exchange 
the nonces naj and nbi. 

Figures 4(a) and 4(b) depict the weighted join transitions for 2 and 3 principal instances respectively. 
The verification with 2 principal instances reports no attack and the conclusion can be derived by just 
exploring half of the state space (the context {Ai,A 2 } and {B],B 2 } are labeled —00; see Figure 4(a)). 
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(a) 2 principals 



(b) 3 principals 



Figure 4 



Join transitions of KSL 



In case of 3 principal instances the attacks are found in highlighted paths (those with 'fat' arrow in Fig- 
ure 4(b)). The heuristic assigns appropriate weights to such paths and 2 states are labeled — °°, suggesting 
a rough cut down of l/4th of the state space. 

The examples show that heuristic is able to guide the searching algorithm towards promising paths 
containing attacks. Moreover a considerable part of the state space is pruned, reducing the number of 
states to be explored by searching algorithm. 

4.3 Properties of J% and J% 

First we would like to briefly comment on the admissibility of our proposed heuristic. Admissibility of 
heuristics is important in certain problems where it is possible to reach many goal states along different 
paths each path having a different cost. Hence, it may be not only important to find a goal state, but also 
find the goal state on the path with the best (or an acceptable) cost (as discussed in § 2.2 for the «-puzzle). 
In such cases, it is important for heuristic function to return an estimation of the cost to reach a goal from 
the state. 

We contend that for security protocols the situation is different. In fact, the goal state in this case is 
an "attack", namely a state that violates the security property. Typically, it is very hard to compare the 
importance of different attacks as the violation of a property may be due to many causes as for the NS 
example in § 4.1). Therefore, optimality of the attack is of less concern when validating protocols; what 
matters in the first instance is to find an attack, if any. However, we envisage the problem of finding 
optimal solutions as important but we do not consider it in this paper. 

It is also important to remark that the weights assigned by J% and J% to states or transitions do not 
correspond to evaluate the proximity to a target state. Rather they estimate the likeliness for the state to 
lead to an attack. This leads to a different scenario where the heuristic function does not have to return 
the cost to reach at goal node. Rather our heuristic returns a value that corresponds to the chance that 
nodes and transitions are on a path leading to an attack. We therefore contend that admissibility is not an 
issue in our case. 

The following theorem proves the correctness of our heuristic; namely, it shows that pruned parts of 
the state space do not contain any attack. 

Theorem 4.1. IfJ^(s,(p) = -<*> then for any state s' = Ctf',x'i K ') reachable from s= (^,#, k),k' \= x > 

Proof. (Sketch) Suppose that there is a s' reachable from s such that k' \/= x > (j). Then k' \= x > -><l> and by 
Definition of |= (the relation |= is reported in Appendix A), there is A n £ k'( because <j> = Vi : A. (j)'). 
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However by hypothesis s n [A] = and sT = hence s' D [A] = and therefore s' does not satisfy -i<f>. □ 

5 Concluding Remarks 

We have designed a heuristic that can be applied to improve the MC of cryptographic protocols. The 
proposed heuristic can drive the searching algorithm towards states containing attacks with respect to a 
security formula. Our heuristic may possibly prune parts of the state space that do not contain attack. 
We have shown that the heuristic is correct, namely we showed that pruned parts of the state space do 
not contain attacks. 

The formal context to define the heuristic is the one proposed in [18] which features the cIP calculus 
and an ad-hoc logical formalism, called to respectively express protocols and security properties. 

An original aspect of <^Jz? is that it can quantify over principal instances. Formulas of are checked 
against the (symbolic) semantics of cIP by a tool called j^SPASyA (Automatic Security Protocol Anal- 
ysis via a SYmbolic model checking Approach) [4]. 

5.1 Related work 

At the best of our knowledge, the use of heuristics to analyse cryptographic protocols has not been much 
studied. 

The concept of heuristics in cryptographic protocol verification has been utilized in [14]. The idea 
is to construct a pattern 5 , pt = (£,—►), where E is a set of events and — ► is a relation on the events. 
Afterwards, it is checked if a pt can give realizable patterns which are actual traces of the protocol and 
represent an attack. For each event execution, there are certain terms that need to be in intruder's knowl- 
edge or that are added to intruder's knowledge represented by in(e) and out(e) respectively. A process 
called pattern refinement is applied to get realizable patterns for those events whose in(e) requirements 
are not satisfied. An open goal represents such requirements and is selected from set of potential open 
goals on the basis of the heuristics. In [14], 5 heuristics have been reported (e.g., an open goal is selected 
randomly, open goals that require a decryption key have higher priority). However, the whole state space 
must be searched if there are no attacks. We argue that our approach can give better results as it can 
prune certain parts of state space even when there are no attacks (as seen in § 4.2). 

In [5], heuristics have been used to minimize the branching factor for infinite state MC of security 
protocols. Mainly, the heuristics in [5] reorder the nodes, for instance actions involving intruder are rated 
higher than actions initiated by honest participants. However these heuristics are very basic and as noted 
in [6], the tool does not scale to most of the protocols. 

Though heuristic methods have not received much attention for MC security protocols, they have 
been studied for MC in general. 

In [19], a heuristic has been defined in terms of model and formula to be verified, that can also prune 
the state space. Our heuristic seems to fall under the general conditions considered in [19] and we plan 
a deeper comparison. 

In [2], the heuristic namely 'NEXT' compresses a sequence of transitions into a single meta transi- 
tion. This eliminates transient states and therefore searching algorithm does less work to find the goal 
node. Similarly, in [16] heuristics for safety and liveness for communication protocols are given. At the 
best of our knowledge the heuristics in [16] (and references therein) allow to cut the state space only in 
few trivial cases. 



'E.g. a pattern can be a representative of all traces violating secrecy 
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5.2 Future work 

This paper proposes the first step of a research program that may develop in several directions. 

First, other heuristics can be designed and studied; in fact, we are planning to define two heuristics. 
The former exploits the intruder's knowledge K and the cIP protocol specification while the other heuris- 
tic exploits joining formulae, another feature (also supported by ^/SPASyA) of cIP. Joining formulae 
are formulae which enable the analyst to express conditions on how principals should be joined 
(by predicating over open variables) 6 . 

The first heuristic will rank states considering the actions that principal instances are ready to execute 
with respect to the formula to falsify. For instance, if the goal is to prove that a variable should not be 
assigned a given value, the heuristic may rank higher those states that assigns such variable. 

The second heuristic may instead be used to avoid the anticipation of all the joining formulae at the 
beginning (which may be computationally expensive) and use them to decide which instance to introduce 
in a given state. 

It will also be rather interesting to study the combined effect of those heuristics (e.g., to consider 
their sum, or the max, etc.) or also use multiple heuristics during the search depending on the structure 
of the state. For instance, in one state one heuristic might be more suitable than others. Further we intend 
to implement these heuristics into existing tool in order to determine the efficiency achieved in terms of 
space and time. 

We also plan to consider heuristics in other verification contexts. For instance, using strand spaces [17], 
the approaches in [27, 22] express properties in terms of connections between strands. A strand can be 
parameterised with variables and a trace is generated by finding a substitution for which an interaction 
graph exists. These approaches provide devices very similar to the join mechanism of cIP and possibly 
be suitable for heuristics similar to ours to help in finding the solution of the constraints. Also, in [9] a 
symbolic semantics based on unification has been adopted to verify security protocols with correspon- 
dence assertions and the use of trace analysis. We think that also in this case heuristics may drive the 
search for an attack in a more efficient way. 
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A Model for ^jSf formulae 

We borrow from [18] the definition of models for . 

Definition 4 (Model for formulae). Let %be a mapping from indexed variables to indexed mes- 
sages, K a knowledge and a closed formula of Then (k,x) is a model for if K \= x can be 
proved by the following rules (where n stands for an instance index): 

xa„X = mx K\>m% 

(=) — (>) 



K\= x xa„ = m K\= x K\>m 
exists n s.t. A n G K K \= x <j>[n/i] 



forall n s.t. A n G K K \= x ty[n/i] 
k^ x Vi:A. 



(3) 
(V) 



(A) (vl) 

~1T^ — (v2) i . H 



